search

opencontrol / discuss

a place to have conversations about OpenControl projects
https://github.com/opencontrol/discuss/issues
Other
16 stars 0 forks source link

Generate a Risk Management Framework (RMF) output #39

Open JJediny opened 6 years ago

JJediny commented 6 years ago

NIST has done a relatively great job (IMHO) of translating/mapping the RMF to NIST-800-53 through the NIST Framework for Improving Critical Infrastructure Cybersecurity

Considering the highlevel controls are already mapped we should be able to parse out control enhancements `i.e. those additional questions based on whether a system is Low/Moderate/High) to their root control and map that back to the framework as a way to assess how a system is addressing RMF using the mappings provided by NIST

For reference only on existing control mappings: https://gist.github.com/JJediny/65438415b5e38ac7560ad5f5597f1877

Updated: 1/13/2017 - Updated with Draft v1.1 https://www.nist.gov/cyberframework/draft-version-11
NIST CSF has three levels: Function -> Category -> Subcategory
###################
#  Subcategory  # 
###################
-
   Category: ID.AM
   Subcategory: 1
   Description:  Physical devices and systems within the organization are inventoried
   Component: 
   Control:
   - CM-8
-
   Category: ID.AM
   Subcategory: 2
   Description:  Software platforms and applications within the organization are inventoried
   Component:
   Control:
   - CM-8
-
   Category: ID.AM
   Subcategory: 3
   Description:  Organizational communication and data flows are mapped
   Component:
   Control:
   - AC-4
   - CA-3
   - CA-9
   - PL-8
-
   Category: ID.AM
   Subcategory: 4
   Description:  External information systems are cataloged
   Component:
   Control:
   - AC-20
   - SA-9
-
   Category: ID.AM
   Subcategory: 5
   Description:  Resources (e.g., hardware, devices, data, time, and software) are prioritized based on their classification, criticality, and business value
   Component:
   Control:
   - CP-2
   - RA-2
   - SA-14
-
   Category: ID.AM
   Subcategory: 6
   Description:  Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established
   Component:
   Control:
   - CP-2
   - PS-7
   - PM-11 
-
   Category: ID.BE
   Subcategory: 1
   Description:  The organization’s role in the supply chain is identified and communicated
   Component:
   Control:
   - CP-2
   - SA-12
-
   Category: ID.BE
   Subcategory: 2
   Description:  The organization’s place in critical infrastructure and its industry sector is identified and communicated
   Component:
   Control:
   - PM-8
-
   Category: ID.BE
   Subcategory: 3
   Description:  Priorities for organizational mission, objectives, and activities are established and communicated
   Component:
   Control:
   - PM-11
   - SA-14
-
   Category: ID.BE
   Subcategory: 4
   Description:  Dependencies and critical functions for delivery of critical services are established
   Component:
   Control:
   - CP-8
   - PE-9
   - PE-11
   - PM-8
   - SA-14
-
   Category: ID.BE
   Subcategory: 5
   Description:  Resilience requirements to support delivery of critical services are established for all operating states (e.g. under duress/attack, during recovery, normal operations)
   Component:
   Control:
   - CP-2
   - CP-11
   - SA-14
-
   Category: ID.GV
   Subcategory: 1
   Description:  Organizational information security policy is established
   Component:
   Control:
   - All
-
   Category: ID.GV
   Subcategory: 2
   Description:  Information security roles & responsibilities are coordinated and aligned with internal roles and external partners
   Component:
   Control:
   - PM-1
   - PS-7
-
   Category: ID.GV
   Subcategory: 3
   Description:  Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed
   Component:
   Control: 
   - All
-
   Category: ID.GV
   Subcategory: 4
   Description:  Governance and risk management processes address cybersecurity risks
   Component:
   Control:
   - PM-9
   - PM-11
-
   Category: ID.RA
   Subcategory: 1
   Description:  Asset vulnerabilities are identified and documented
   Component:
   Control:
   - CA-2
   - CA-7
   - CA-8
   - RA-3
   - RA-5
   - SA-5
   - SA-11
   - SI-2
   - SI-4
   - SI-5
-
   Category: ID.RA
   Subcategory: 2
   Description:  Cyber threat intelligence is received from information sharing forums and sources
   Component:
   Control:
   - PM-15
   - PM-16
   - SI-5
-
   Category: ID.RA
   Subcategory: 3
   Description:  Threats, both internal and external, are identified and documented
   Component:
   Control:
   - RA-3
   - SI-5
   - PM-12
   - PM-16
-
   Category: ID.RA
   Subcategory: 4
   Description:  Potential business impacts and likelihoods are identified
   Component:
   Control:
   - RA-2
   - RA-3
   - PM-9
   - PM-11
   - SA-14
-
   Category: ID.RA
   Subcategory: 5
   Description:  Threats, vulnerabilities, likelihoods, and impacts are used to determine risk
   Component:
   Control:
   - RA-2
   - RA-3
   - PM-16
-
   Category: ID.RA
   Subcategory: 6
   Description:  Risk responses are identified and prioritized
   Component:
   Control:
   - PM-4
   - PM-9
-
   Category: ID.RM
   Subcategory: 1
   Description:  Risk management processes are established, managed, and agreed to by organizational stakeholders
   Component:
   Control:
   - PM-9
-
   Category: ID.RM
   Subcategory: 2
   Description:  Organizational risk tolerance is determined and clearly expressed
   Component:
   Control:
   - PM-9
-
   Category: ID.RM
   Subcategory: 3
   Description:  The organization’s determination of risk tolerance is informed by its role in critical infrastructure and sector specific risk analysis
   Component:
   Control:
   - PM-8
   - PM-9
   - PM-11
   - SA-14
-
   Category: ID.SC
   Subcategory: 1
   Description:  Cyber supply chain risk management processes are identified, established, assessed, managed, and agreed to by organizational stakeholders
   Component:
   Control:
   - SA-9
   - SA-12
   - PM-9
-
   Category: ID.SC
   Subcategory: 2
   Description:  Identify, prioritize and assess suppliers and partners of critical information systems, components and services using a cyber supply chain risk assessment process
   Component:
   Control:
   - RA-2
   - RA-3
   - SA-12
   - SA-14
   - SA-15
   - PM-9
-
   Category: ID.SC
   Subcategory: 3
   Description:   Suppliers and partners are required by contract to implement appropriate measures designed to meet the objectives of the Information Security program or Cyber Supply Chain Risk Management Plan.
   Component:
   Control:
   - SA-9
   - SA-11
   - SA-12
   - PM-9
-
   Category: ID.SC
   Subcategory: 4
   Description:   Suppliers and partners are monitored to confirm that they have satisfied their obligations as required. Reviews of audits, summaries of test results, or other equivalent evaluations of suppliers/providers are conducted
   Component:
   Control:
   - AU-2
   - AU-6
   - AU-12
   - AU-16
   - PS-7
   - SA-9
   - SA-12
-
   Category: ID.SC
   Subcategory: 5
   Description:  Response and recovery planning and testing are conducted with critical suppliers/providers
   Component:
   Control:
   - CP-2
   - CP-4
   - IR-3
   - IR-4
   - IR-6
   - IR-8
   - IR-9
-
   Category: PR.AC
   Subcategory: 1
   Description:  Identities and credentials are issued, managed, revoked, and audited for authorized devices, users, and processes
   Component:
   Control:
   - AC-2
   - IA
-
   Category: PR.AC
   Subcategory: 2
   Description:  Physical access to assets is managed and protected
   Component:
   Control:
   - PE-2
   - PE-3
   - PE-4
   - PE-5
   - PE-6
   - PE-9
-
   Category: PR.AC
   Subcategory: 3
   Description:  Remote access is managed
   Component:
   Control:
   - AC‑17
   - AC-19
   - AC-20
-
   Category: PR.AC
   Subcategory: 4
   Description:  Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties
   Component:
   Control:
   - AC-2
   - AC-3
   - AC-5
   - AC-6
   - AC-16
-
   Category: PR.AC
   Subcategory: 5
   Description:  Network integrity is protected, incorporating network segregation where appropriate
   Component:
   Control:
   - AC-4
   - SC-7
-
   Category: PR.AC
   Subcategory: 6
   Description:  Identities are proofed and bound to credentials, and asserted in interactions when appropriate
   Component:
   Control:
   - AC-2
   - AC-3
   - AC-5
   - AC-6
   - AC-16
   - AC-19
   - AC-24
   - IA-2
   - IA-4
   - IA-5
   - IA-8
   - PE-2
   - PS-3

-
   Category: PR.AT
   Subcategory: 1
   Description:  All users are informed and trained
   Component:
   Control:
   - AT-2
   - PM-13
-
   Category: PR.AT
   Subcategory: 2
   Description:  Privileged users understand roles & responsibilities
   Component:
   Control:
   - AT-3
   - PM-13
-
   Category: PR.AT
   Subcategory: 3
   Description:  Third-party stakeholders (e.g., suppliers, customers, partners) understand roles & responsibilities
   Component:
   Control:
   - PS-7
   - SA-9
-
   Category: PR.AT
   Subcategory: 4
   Description:  Senior executives understand roles & responsibilities
   Component:
   Control:
   - AT-3
   - PM-13
-
   Category: PR.AT
   Subcategory: 5
   Description:  Physical and information security personnel understand roles & responsibilities
   Component:
   Control:
   - AT-3
   - PM-13
-
   Category: PR.DS
   Subcategory: 1
   Description:  Data-at-rest is protected
   Component:
   Control:
   - SC-28
-
   Category: PR.DS
   Subcategory: 2
   Description:  Data-in-transit is protected
   Component:
   Control:
   - SC-8
-
   Category: PR.DS
   Subcategory: 3
   Description:  Assets are formally managed throughout removal, transfers, and disposition
   Component:
   Control:
   - CM-8
   - MP-6
   - PE-16
-
   Category: PR.DS
   Subcategory: 4
   Description:  Adequate capacity to ensure availability is maintained
   Component:
   Control:
   - AU-4
   - CP-2
   - SC-5
-
   Category: PR.DS
   Subcategory: 5
   Description:  Protections against data leaks are implemented
   Component:
   Control:
   - AC-4
   - AC-5
   - AC-6
   - PE-19
   - PS-3
   - PS-6
   - SC-7
   - SC-8
   - SC-13
   - SC-31
   - SI-4
-
   Category: PR.DS
   Subcategory: 6
   Description:  Integrity checking mechanisms are used to verify software, firmware, and information integrity
   Component:
   Control:
   - SI-7
-
   Category: PR.DS
   Subcategory: 7
   Description:  The development and testing environment(s) are separate from the production environment
   Component:
   Control:
   - CM-2
-
   Category: PR.DS
   Subcategory: 8
   Description:  Integrity checking mechanisms are used to verify hardware integrity
   Component:
   Control:
   - SA-10
   - SI-7

-
   Category: PR.IP
   Subcategory: 1
   Description:  A baseline configuration of information technology/industrial control systems is created and maintained incorporating appropriate security principles (e.g. concept of least functionality)
   Component:
   Control:
   - CM-2
   - CM-3
   - CM-4
   - CM-5
   - CM-6
   - CM-7
   - CM-9
   - SA-10
-
   Category: PR.IP
   Subcategory: 2
   Description:  A System Development Life Cycle to manage systems is implemented
   Component:
   Control:
   - SA-3
   - SA-4
   - SA-8
   - SA-10
   - SA-11
   - SA-12
   - SA-15
   - SA-17
   - PL-8
-
   Category: PR.IP
   Subcategory: 3
   Description:  Configuration change control processes are in place
   Component:
   Control: 
   - CM-3
   - CM-4
   - SA-10
-
   Category: PR.IP
   Subcategory: 4
   Description:  Backups of information are conducted, maintained, and tested periodically
   Component:
   Control: 
   - CP-4
   - CP-6
   - CP-9
-
   Category: PR.IP
   Subcategory: 5
   Description:  Policy and regulations regarding the physical operating environment for organizational assets are met
   Component:
   Control: 
   - PE-10
   - PE-12
   - PE-13
   - PE-14
   - PE-15
   - PE-18
-
   Category: PR.IP
   Subcategory: 6
   Description:  Data is destroyed according to policy
   Component:
   Control: 
   - MP-6
-
   Category: PR.IP
   Subcategory: 7
   Description:  Protection processes are continuously improved
   Component:
   Control: 
   - CA-7
   - CP-2
   - IR-8
   - PL-2
   - PM-6
-
   Category: PR.IP
   Subcategory: 8
   Description:  Effectiveness of protection technologies is shared with appropriate parties
   Component:
   Control: 
   - AC-21
   - CA-7
   - SI-4
-
   Category: PR.IP
   Subcategory: 9
   Description:  Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed
   Component:
   Control: 
   - CP-2
   - IR-8
-
   Category: PR.IP
   Subcategory: 10
   Description:  Response and recovery plans are tested
   Component:
   Control: 
   - IR-3
   - PM-14
-
   Category: PR.IP
   Subcategory: 11
   Description:  Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel screening)
   Component:
   Control: 
   - PS
-
   Category: PR.IP
   Subcategory: 12
   Description:  A vulnerability management plan is developed and implemented
   Component:
   Control: 
   - RA-3
   - RA-5
   - SI-2
-
   Category: PR.MA
   Subcategory: 1
   Description:  Maintenance and repair of organizational assets is performed and logged in a timely manner, with approved and controlled tools
   Component:
   Control: 
   - MA-2
   - MA-3
   - MA-5
-
   Category: PR.MA
   Subcategory: 2
   Description:  Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access
   Component:
   Control: 
   - MA-4
-
   Category: PR.PT
   Subcategory: 1
   Description:  Audit/log records are determined, documented, implemented, and reviewed in accordance with policy
   Component:
   Control: 
   - AU
-
   Category: PR.PT
   Subcategory: 2
   Description:  Removable media is protected and its use restricted according to policy
   Component:
   Control: 
   - MP-2
   - MP-4
   - MP-5
   - MP-7
-
   Category: PR.PT
   Subcategory: 3
   Description:  The principle of least functionality is incorporated by configuring systems to provide only essential capabilities
   Component:
   Control: 
   - AC-3
   - CM-7
-
   Category: PR.PT
   Subcategory: 4
   Description:  Communications and control networks are protected
   Component:
   Control: 
   - AC-4
   - AC-17
   - AC-18
   - CP-8
   - SC-7
-
   Category: PR.PT
   Subcategory: 5
   Description:  Systems operate in pre-defined functional states to achieve availability (e.g. under duress, under attack, during recovery, normal operations).
   Component:
   Control: 
   - CP-7
   - CP-8
   - CP-11
   - CP-13
   - PL-8
   - SA-14
   - SC-6
-
   Category: DE.AE
   Subcategory: 1
   Description:  A baseline of network operations and expected data flows for users and systems is established and managed
   Component:
   Control: 
   - AC-4
   - CA-3
   - CM-2
   - SI-4
-
   Category: DE.AE
   Subcategory: 2
   Description:  Detected events are analyzed to understand attack targets and methods
   Component:
   Control: 
   - AU-6
   - CA-7
   - IR-4
   - SI-4
-
   Category: DE.AE
   Subcategory: 3
   Description:  Event data are aggregated and correlated from multiple sources and sensors
   Component:
   Control: 
   - AU-6
   - CA-7
   - IR-4
   - IR-5
   - IR-8
   - SI-4
-
   Category: DE.AE
   Subcategory: 4
   Description:  Impact of events is determined
   Component:
   Control: 
   - CP-2
   - IR-4
   - RA-3
   - SI -4
-
   Category: DE.AE
   Subcategory: 5
   Description:  Incident alert thresholds are established
   Component:
   Control: 
   - IR-4
   - IR-5
   - IR-8
-
   Category: DE.CM
   Subcategory: 1
   Description:  The network is monitored to detect potential cybersecurity events
   Component:
   Control: 
   - AC-2
   - AU-12
   - CA-7
   - CM-3
   - SC-5
   - SC-7
   - SI-4
-
   Category: DE.CM
   Subcategory: 2
   Description:  The physical environment is monitored to detect potential cybersecurity events
   Component:
   Control: 
   - CA-7
   - PE-3
   - PE-6
   - PE-20
-
   Category: DE.CM
   Subcategory: 3
   Description:  Personnel activity is monitored to detect potential cybersecurity events
   Component:
   Control: 
   - AC-2
   - AU-12
   - AU-13
   - CA-7
   - CM-10
   - CM-11
-
   Category: DE.CM
   Subcategory: 4
   Description:  Malicious code is detected
   Component:
   Control: 
   - SI-3
-
   Category: DE.CM
   Subcategory: 5
   Description:  Unauthorized mobile code is detected
   Component:
   Control: 
   - SC-18
   - SI-4
   - SC-44
-
   Category: DE.CM
   Subcategory: 6
   Description:  External service provider activity is monitored to detect potential cybersecurity events
   Component:
   Control: 
   - CA-7
   - PS-7
   - SA-4
   - SA-9
   - SI-4
-
   Category: DE.CM
   Subcategory: 7
   Description:  Monitoring for unauthorized personnel, connections, devices, and software is performed
   Component:
   Control: 
   - AU-12
   - CA-7
   - CM-3
   - CM-8
   - PE-3
   - PE-6
   - PE-20
   - SI-4
-
   Category: DE.CM
   Subcategory: 8
   Description:  Vulnerability scans are performed
   Component:
   Control: 
   - RA-5
-
   Category: DE.DP
   Subcategory: 1
   Description:  Roles and responsibilities for detection are well defined to ensure accountability
   Component:
   Control: 
   - CA-2
   - CA-7
   - PM-14
-
   Category: DE.DP
   Subcategory: 2
   Description:  Detection activities comply with all applicable requirements
   Component:
   Control: 
   - CA-2
   - CA-7
   - PM-14
   - SI-4
-
   Category: DE.DP
   Subcategory: 3
   Description:  Detection processes are tested
   Component:
   Control: 
   - CA-2
   - CA-7
   - PE-3
   - PM-14
   - SI-3
   - SI-4
-
   Category: DE.DP
   Subcategory: 4
   Description:  Event detection information is communicated to appropriate parties
   Component:
   Control: 
   - AU-6
   - CA-2
   - CA-7
   - RA-5
   - SI-4
-
   Category: DE.DP
   Subcategory: 5
   Description:  Detection processes are continuously improved
   Component:
   Control: 
   - CA-2
   - CA-7
   - PL-2
   - RA-5
   - SI-4
   - PM-14
-
   Category: RS.RP
   Subcategory: 1
   Description:  Response plan is executed during or after an event
   Component:
   Control: 
   - CP-2
   - CP-10
   - IR-4
   - IR-8
-
   Category: RS.CO
   Subcategory: 1
   Description:  Personnel know their roles and order of operations when a response is needed
   Component:
   Control: 
   - CP-2
   - CP-3
   - IR-3
   - IR-8
-
   Category: RS.CO
   Subcategory: 2
   Description:  Events are reported consistent with established criteria
   Component:
   Control: 
   - AU-6
   - IR-6
   - IR-8
-
   Category: RS.CO
   Subcategory: 3
   Description:  Information is shared consistent with response plans
   Component:
   Control: 
   - CA-2
   - CA-7
   - CP-2
   - IR-4
   - IR-8
   - PE-6
   - RA-5
   - SI-4
-
   Category: RS.CO
   Subcategory: 4
   Description:  Coordination with stakeholders occurs consistent with response plans
   Component:
   Control: 
   - CP-2
   - IR-4
   - IR-8
-
   Category: RS.CO
   Subcategory: 5
   Description: Voluntary information sharing occurs with external stakeholders to achieve broader cybersecurity situational awareness
   Component:
   Control: 
   - PM-15
   - SI-5
-
   Category: RS.AN
   Subcategory: 1
   Description:  Notifications from detection systems are investigated 
   Component:
   Control: 
   - AU-6
   - CA-7
   - IR-4
   - IR-5
   - PE-6
   - SI-4
-
   Category: RS.AN
   Subcategory: 2
   Description:  The impact of the incident is understood
   Component:
   Control: 
   - CP-2
   - IR-4
-
   Category: RS.AN
   Subcategory: 3
   Description:  Forensics are performed
   Component:
   Control: 
   - AU-7
   - IR-4
-
   Category: RS.AN
   Subcategory: 4
   Description:  Incidents are categorized consistent with response plans
   Component:
   Control: 
   - CP-2
   - IR-4
   - IR-5
   - IR-8
-
   Category: RS.MI
   Subcategory: 1
   Description:  Incidents are contained
   Component:
   Control: 
   - IR-4
-
   Category: RS.MI
   Subcategory: 2
   Description:  Incidents are mitigated
   Component:
   Control: 
   - IR-4
-
   Category: RS.MI
   Subcategory: 3
   Description:  Newly identified vulnerabilities are mitigated or documented as accepted risks
   Component:
   Control: 
   - CA-7
   - RA-3
   - RA-5
-
   Category: RS.IM
   Subcategory: 1
   Description:  Response plans incorporate lessons learned
   Component:
   Control: 
   - CP-2
   - IR-4
   - IR-8
-
   Category: RS.IM
   Subcategory: 2
   Description:  Response strategies are updated
   Component:
   Control: 
   - CP-2
   - IR-4
   - IR-8
-
   Category: RC.RP
   Subcategory: 1
   Description:  Recovery plan is executed during or after an event
   Component:
   Control: 
   - CP-10
   - IR-4
   - IR-8
-
   Category: RC.IM
   Subcategory: 1
   Description:  Recovery plans incorporate lessons learned
   Component:
   Control: 
   - CP-2
   - IR-4
   - IR-8
-
   Category: RC.IM
   Subcategory: 2
   Description:  Recovery strategies are updated
   Component:
   Control: 
   - CP-2
   - IR-4
   - IR-8
-
   Category: RC.CO
   Subcategory: 3
   Description:  Recovery activities are communicated to internal stakeholders and executive and management teams
   Component:
   Control: 
   - CP-2
   - IR-4